View
0
Download
0
Category
Preview:
Citation preview
NFM 2010
Coverage Metrics for Requirements-Based Testing: Evaluation of Effectiveness
Matt Staats, Michael W. Whalen, Mats HeimdahlUniversity of Minnesota
NFM 2010NFM 2010
Ajitha RajanLaboratoire d’Informatique de Grenoble
2 NFM 2010
Testing Process
Implementation
Requirements Tests
Talented Developers
Derives
Derives
Execute Over
3 NFM 2010
Testing Process
Implementation
Requirements Tests
Talented Developers
Derives
Are the tests adequate?
Derives
Measure Adequacy Using
Execute Over
White Box Adequacy
4 NFM 2010
Testing Process Revised
Implementation
Requirements Tests
Talented Developers
Derives
Derives
Measure Adequacy Using
Execute Over
Black Box Adequacy
5 NFM 2010
Formalized Requirements“If the onside FD cues are off, the onside FD cues shall
be displayed when the AP is engaged”G((¬ Onside_FD_On ∧ ¬ Is_AP_Engaged) →
X(Is_AP_Engaged → Onside_FD_On))
• Possible Coverage Metrics Naïve requirements coverage: Single test case that
demonstrates that requirement is satisfied Prone to “dumb” tests, e.g., execution in which AP is
never engaged. More rigorous metrics are necessary
6 NFM 2010
Antecedent Coverage• Many of the requirements in the FGS are of
the form : • Globally if ‘A’ occurs then ‘C’ will occur
G (A → C)• Two ways of satisfying (A → C)
– A is false– A is true and C is true
• Antecedent Coverage – Test cases will exercise the antecedent.
S0 S1 Sn
Not A Not A A, C
7 NFM 2010
Antecedent Coverage• Many of the requirements in the FGS are of
the form : • Globally if ‘A’ occurs then ‘C’ will occur
G (A → C)• Two ways of satisfying (A → C)
– A is false– A is true and C is true
• Antecedent Coverage – Test cases will exercise the antecedent.
S0 S1 Sn
Not A Not A A, C
What if: A∨B → C
8 NFM 2010
Unique First Cause (UFC) Coverage
• UFC is an extension of MC/DC to paths Must show individual affect of each atomic
condition as Unique First Cause along path
9 NFM 2010
Example LTL property - G( A \/ B → C).
Unique First Cause (UFC) Coverage
S0 S1 S2 S3 Si
A, ¬B, C¬A, ¬B, ¬C ¬A, B, C
¬A, ¬B, ¬C
• UFC is an extension of MC/DC to paths Must show individual affect of each atomic
condition as Unique First Cause along path
¬A, ¬B, ¬C
10 NFM 2010
Example LTL property - G( A \/ B → C).
Unique First Cause (UFC) Coverage
S0 S1 S2 S3 Si
A, ¬B, C¬A, ¬B, ¬C ¬A, B, C
¬A, ¬B, ¬C
S0 S1 Si
To show independence of B,¬A, B, C
• UFC is an extension of MC/DC to paths Must show individual affect of each atomic
condition as Unique First Cause along path
¬A, ¬B, ¬C
¬A, ¬B, ¬C ¬A, ¬B, ¬C
11 NFM 2010
Study Goals
• Is subsumption between these metrics indicative of practical effectiveness?
• Are these coverage metrics any good?
12 NFM 2010
Case Examples
# Simulink Subsystems
# Blocks # Requirements
DWM_1 3,109 11,439 170DWM_2 128 429 41Vertmax_Batch 396 1,453 294Latctl_Batch 120 718 110
• Avionics systems courtesy of Rockwell Collins Simulink, translated to Lustre
• Includes “good” set of LTL requirements
13 NFM 2010
Basic Experimental SetupImplementation Requirements
Faulty Versions
UFC Coverage
Obligations
Nonreducible UFC Test
Sets
Random Test Sets of
Similar Size
UFC Fault Finding %
Random Fault Finding %
14 NFM 2010
Implementation
Requirements Coverage Info
Requirements Fault Finding %
Requirements
Mutants (600)Mutants (600)Mutants (600)
Mutants (600)Mutants (600)UFC Obligations
Mutants (600)Mutants (600)Antecedent Obligations
Mutants (600)Mutants (600)Requirements Obligations
NuSMV &Gryphon Tool Set (Rockwell Collins)
Antecedent Coverage Info
UFC Coverage Info
Requirements Tests
Antecedent Tests UFC Tests
Reduced Requirements Test Sets (25)
Reduced Requirements Test Sets (25)Reduced UFC Test Sets (25)
Reduced Requirements Test Sets (25)
Reduced Requirements Test Sets (25)
Reduced Antecedent
Test Sets (25)
Reduced Requirements Test Sets (25)
Reduced Requirements Test Sets (25)
Reduced Requirements Test Sets (25)
Antecedent Fault Finding %
UFC Fault Finding %
Reduced Requirements Test Sets (25)
Reduced Requirements Test Sets (25)
Requirements Random Test
Sets (25)
Reduced Requirements Test Sets (25)
Reduced Requirements Test Sets (25)
Antecedent Random Test
Sets (25)
Reduced Requirements Test Sets (25)
Reduced Requirements Test Sets (25)
UFCRandom Test
Sets (25)
Random Fault Finding %
Random Fault Finding %
Random Fault Finding %
Better Than Random?
Random Tests (1000)
15 NFM 2010
Results
• Does subsumption relate to fault finding effectiveness? YES! (Mostly)
• Are these coverage metrics effective measures of adequacy? NO!
For requirements and antecedent coverage YES!
For UFC coverage, for 3 of 4 systems
16 NFM 2010
Results
17 NFM 2010
New Questions
• Why do test sets satisfying requirements and antecedent coverage perform poorly relative to random testing?
• Why does UFC's effectiveness as an adequacy measurement vary between systems?
18 NFM 2010
Test Generation Approaches
Random Test Generation
Requirements
Talented Developers
Tests
Derives
Need more tests !
Measure Coverage
Tests
Done!
Requirements Implementation
Automatic Test Generation Tool
Tests
Done!
19 NFM 2010
Weak Coverage Metrics• Easy to cheat• Major problem when using counterexample based
test generation Counterexamples intended to be simple traces Simple traces make bad tests
• Counterexample based test generation worst case behavior Positive results are positive Negative results are misleading
• Still, satisfying requirements/antecedent coverage not indicative of good tests
20 NFM 2010
Sensitivity to Requirements Structure
• Problem: UFC based temporal and Boolean operators
• DWM_2 system using many relational and arithmetic operators
Revised:
LTLSPEC G(var_a > ( case foo & baz : 0 + 2 ; foo & bpr : 0 + 3 ; bar & baz : 1 + 2 ; bar & bpr : 1 + 3 ; esac ));
Original:
LTLSPEC G(var_a > ( case foo : 0 ; bar : 1 ; esac + case baz : 2 ; bpr : 3 ; esac ));
21 NFM 2010
Conclusion
• Evaluated three black box coverage metrics using 4 realistic avionics system
• UFC only useful coverage metric However, UFC is not useful for all
combinations of requirements and systems
22 NFM 2010
Questions
??
23 NFM 2010
UFC Coverage• G(A)+ = {A U (a ∧ G(A)) | a є A+}
G(A)- = {A U a | a є A-}• F(A)+ = {¬A U a | a є A+}
F(A)- = {¬A U (a ∧ G(¬A))| a є A-}• (A U B)+ =
{(A ∧ ¬B) U ((a ∧ ¬B) ∧ (A U B)) | a є A+} ∪ {(A ∧ ¬B) U b | b є B+}
(A U B)- = {(A ∧ ¬B) U (a ∧ ¬B) | a є A-} ∪ {(A ∧ ¬B) U (b ∧ ¬(A U B)) | b є B-}
• X(A)+ = {X(a) | a є A+}X(A)- = { X(a) | a є A-}
Recommended